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ABSTRACT 

This Paper consists of two distinct but related 
parts. An introductory section reviews and standardizes 
the terminology to be used throughout, and outlines the 
configuration of a typical remote-access, multi-user 
resource-sharing computer system, identifying its vulner¬ 
abilities to the accidental or deliberate divulgence of 
information. The main portion of the Paper then compares 
the security and privacy situations, suggesting design 
considerations for protecting private information handled 
by computer systems. 

The privacy problem is really a spectrum of problems 
which ultimately must be assessed as an engineering 
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trade-off question: the value of private information to 
an outsider determining the resources he is willing to 
expend for acquisition; the value of the information to 
its owner determining what he is willing to pay for 
protection. 

Computer systems operating with classified military 
information and those handling private or sensitive in¬ 
formation are contrasted in terms of: controlling user 
access; incentives to penetration; hardware requirements; 
file access and protection; overall philosophy of system 
organization; certifying authorities; magnitude and 
seriousness of penetration efforts; security and protec¬ 
tion of communication circuits. Generally speaking, 
similar hardware-software and systems precautions must be 
taken. The essential distinctions are in the legal frame¬ 
work, value of information, magnitude of resources for both 
protection and penetration, and in communications security. 
The all-important difference is that the users of a com¬ 
puter-private network may not be subject to a common 
authority and discipline, or that these forces may be in¬ 
adequate to deter deliberate attempts at penetration. 
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I. INFORMATION LEAKAGE IN A RESO URCE "SHARING 

COMPUTER SYSTEM 

With the advent of computer systems which share the 
resources of the configuration among several users or 
several problems, there is the risk that information from 
one user (or computer program) will be coupled to another 
user (or program). In many cases, the information in 
question will bear a military classification or be sensi¬ 
tive for some reason, and safeguards must be provided to 
guard against the leakage of information. This session 
is concerned with accidents or deliberate attempts which 
divulge computer-resident information to unauthorized 

parties. 

Espionage attempts to obtain military or defense in¬ 
formation regularly appear in the news. Computer systems 
are now widely used in military and defense installations, 
and deliberate attempts to penetrate such computer systems 
must be anticipated. There can be no doubt that safe¬ 
guards must be conceived which will protect the informa¬ 
tion in such computer systems. There is a corresponding 
situation in the industrial world. Much business informa¬ 
tion is company-confidential because it relates to pro¬ 
prietary processes or technology, or to the success, 
state-of-health of the company. One can 


failure, or 
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imagine a circumstance in which it would be profitable 
for one company to mount an industrial espionage attack 
against the computer system of a competitor. Similarly, 
one can imagine scenarios in which confidential informa- 
tion on individuals which is kept within a computer is 
potentially profitable to a party not authorized to have 
the information. Hence, we can expect that penetrations 
will be attempted against computer systems which contain 
non-military information. 

This session will not debate the existence of es¬ 
pionage attempts against resource-sharing systems. Rather, 
it is assumed that the problem exists, at least in 
principle if not in fact, and our papers will be devoted 
to discussing technological aspects of the problem and 
possible approaches to safeguards. 

First of all, clarification of terminology is in order. 
For the military or defense situation, the jargon is well 
established. We speak of "classified information," 
"military security," and "secure computer installations." 
There are rules and regulations governing the use and 
divulgence of military-classified information, and we 
need not dwell further on the issue. In the non-military 
area, terminology is not established. The phrase 
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"industrial security" includes such things as protecting 
proprietary designs and business information; but it also 
covers the physical protection of plants and facilities. 

For our purposes, the term is too broad. In most circles, 
the problem which will concern us is being called the 
’’privacy problem." 

The words "private" and "privacy" are normally asso¬ 
ciated with an individual in a personal sense, but Webster' s. 

International Dictionary also provides the fol- 


lowing definitions: 

Private: ....intended for or restricted to the use 

of a particular person, or group, or 
class of persons; not freely available 
to the public 

Privacy: ....isolation, seclusion, or freedom from 

zed oversight or observation. 


We are talking about restricting information within a 
computer for the use of a specified group of persons, 
we do not want the information freely available to the 
public. We want to isolate the information from un¬ 
authorized observation. Hence, the terminology appears 
appropriate enough, although one might hope that new 
terms will be found that do not already have strongly 



-4- 


established connotations. For our purposes today, 

"security” and "classified" will refer to military or 
defense information or situations; "private" or "privacy," 
to the corresponding industrial, or non-military govern¬ 
mental situations. In each case, the individual authorized 
to receive the information will have "need to know" or 
"access authorization." 

We will do the following in this session. In order 
to bring all of us to a common level of perspective on 
resource-sharing computer systems, I will briefly review 
the configuration of such systems and identify the major 
vulnerabilities to penetration and to leakage of informa¬ 
tion. The following paper by Mr. Peters will describe 
the security safeguards provided for a multi-programmed 
remote-access computer system. Then I will contrast the 
security and privacy situations, identifying similarities 
and differences. The final paper by Dr. Petersen and Dr. 
Turn will discuss technical aspects of security and privacy 
safeguards. Finally, we have a panel of three individuals 
who have faced the privacy problem in real-life systems, 
each will describe his views toward the problem, and his 
approach to a solution. In the end, it will fall upon 
each of you to conceive and implement satisfactory safe¬ 
guards for the situation which concerns you. 



-5- 


A priori, we can not be certain how dangerous a given 
vulnerability might be. Things which are serious for some 
computer systems may be only a nuisance for others. Let 
us take the point of view that we will not prejudge the 
risk associated with a given vulnerability or threat to 
privacy. Rather, let us try only to suggest some of the 
ways in which a computer system might divulge information 
to an unauthorized party in either the security or the 
privacy situation. We'll leave for discussion in the con¬ 
text of particular installations the question of how much 
protection we want to provide, what explicit safeguards 
must be provided, and how serious any particular vulnera¬ 
bility might be. 

The hardware configuration of a typical resource¬ 
sharing computer system is shown in Fig. 1. There is a 
central processor to which are attached computer-based 
files and a communication network for linking to remote 
users via a switching center. We observe first of all 
that the files may contain information of different levels 
of sensitivity or military classification; therefore, 
access to these files by users must be controlled. Im¬ 
proper or unauthorized access to a file can divulge in¬ 
formation to the wrong person. Certainly, the file can 
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Fig. 1--Typical configuration of resource-sharing computer system 
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also be stolen—a rather drastic divulgence of informa¬ 
tion. On the other hand, an unauthorized copy of a file 
might be made using the computer itself, and the copy 

revealed to unauthorized persons. 

The central processor has both hardware and software 
components. So far as hardware is concerned, the cir¬ 
cuits for such protections as bound registers, memory 
read-write protect, or privileged mode might fail and 
permit information to leak to improper destinations. A 
large variety of hardware failures might contribute to 
software failures which, in turn, lead to divulgence. 

Since the processor consists of high-speed electronic 
circuits, it can be expected that large quantities of 
electromagnetic energy will radiate; conceivably an eaves¬ 
dropping third party might acquire sensitive information. 
Failure of the software may disable such protection 
features as access control, user identification, or memory 
bounds control, leading to improper routing of information 
Intimately involved with the central computer are 
three types of personnel: operators, programmers, and 
maintenance engineers. The operator who is responsible 
for minute-by-minute functioning of the system might 
reveal information by doing such things as replacing the 
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easily be generated which would reveal to the maintenance 
man how the software protections are coded. From that 
point, it might be easy to rewire the machine so that 
certain instructions appeared to behave normally, whereas 
in fact, the protective mechanisms could be bypassed. 

While some of the things that I've just proposed 
require deliberate acts, others could happen by accident. 

Thus, so far as the computing central itself is con¬ 
cerned, we have potential vulnerabilities in control of 
access to files; in radiation from the hardware; in hard¬ 
ware, software, or combined hardware-software failures; 
and in deliberate acts of penetration or accidental mis¬ 
takes by the system personnel. 

The communication links from the central processor 
to the switching center, and from the switching center to 
the remote consoles are similarly vulnerable. Any of the 
usual wiretapping methods might be employed to steal in¬ 
formation from the lines. Since some communications will 
involve relatively high-frequency signals, electromagnetic 
radiation might be intercepted by an eavesdropper. Also, 
crosstalk between communication links might possibly reveal 
information to unauthorized individuals. Furthermore, the 
switching central itself might have a radiation or crosstalk 
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vulnerability; it might fail to make the right connection 
and so link the machine to an incorrect user. 

A remote console might also have a radiation vulner- 
• Moreover, there is the possibility that recording 
devices of various kinds might be attached to the console 
to pirate information. 'Consideration might have to be 
given to destroying the ribbon in the printing mechanism, 
or designing the platen so that impressions could not be 
read from it. 

Finally, there is the user of the system. Since his 
link to the computer is via a switching center, the central 
processor must make certain with whom it is conversing. 

Thus, there must be means for properly identifying the 
user; and this means must be proof against recording 
devices, pirating, unauthorized use, etc. Even after a 
user has satisfactorily established his identify, there 
remains the problem of verifying his right to have access 
to certain files, and possibly to certain components of 
the configuration. There must be a means for authenticating 
the requests which he will make of the system, and this 
means must be proof against bugging, recorders, pirating, 
unauthorized usage, etc. Finally, there is the ingenious 
user who skillfully invades the software system sufficiently 
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to ascertain its structure, and to make changes which are 
not apparent to the operators or to the systems programmers, 
but which give him "ins" to normally unavailable information. 

To summarize, there are human vulnerabilities through¬ 
out; individual acts can accidentally or deliberately 
jeopardize the protection of information in a system. 

Hardware vulnerabilities are shared among the computer, 
the communications system, and the consoles. There are 
software vulnerabilities; and vulnerabilities in the 
system's organization, e.g., access control, user identifica¬ 
tion and authentication. How serious any one of these might 
be depends on the sensitivity of the information being 
handled, the class of users, the operating environment, 
and certainly on the skill with which the network has been 
designed. In the most restrictive case, the network might 
have to be protected against all the types of invasions 
which have been suggested plus many readily conceivable. 

This discussion, although not an exhaustive considera¬ 
tion of all the ways in which a resource-sharing computer 
system might be either accidentally or deliberately pene¬ 
trated for the purposes of unauthorized acquisition of 
information, has attempted to outline some of the major 
vulnerabilities which exist in modern computing systems. 
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Succeeding papers in this session will address themselves 
to a more detailed examination of these vulnerabilities 
and to a discussion of possible solutions. 
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II. SECURITY AND PRIVACY: SIMILARITIES AND DIFFERENCES 

For the purposes of this Paper we will use the term 
"security" when speaking about computer systems which 
handle classified defense information, and "privacy" in 
regard to those computer systems which handle non-defense 
information which nonetheless must be protected because it 
is in some respect sensitive. It should be noted at the 
outset that the context in which security must be con¬ 
sidered is quite different from that which can be applied 
to the privacy question. With respect to classified 
military information there are federal regulations which 
establish authority, and discipline to govern the conduct 
of people who work with such information. Moreover, there 
is an established set of categories into which information 
is classified. Once information is classified Confidential, 
Secret, or Top Secret, there are well-defined requirements 
for its protection, for controlling access to it, and for 
transmitting it from place to place. In the privacy 
situation, the analogous situation may exist only in part 
or not at all. 

There are indeed Federal and State statutes which 
protect the so-called "secrecy of communication." But it 
remains to be established that these laws can be extended 
to cover or interpreted as applicable to the unauthorized 


acquisition of information from computer equipment. There 
are also laws against thievery; and at least one case 
involving a programmer and theft of privileged information 
has been tried. The telephone companies have formulated 
regulations governing the conduct of employees (who are 
subject to "secrecy of communication" laws) who may intrude 
on the privacy of individuals; perhaps this experience can 
be drawn upon by the computer field. 

Though there apparently exist fragments of law and 
some precedents bearing on the protection of information, 
nonetheless the privacy situation is not so neatly cir¬ 
cumscribed and tidy as the security situation. Privacy 
simply is not so tightly controlled. Within computer 
networks serving many companies, organizations, or agencies, 
there may be no uniform governing authority; an incomplete 
legal framework; no established discipline, or perhaps not 
even a code of ethics among users. At present there is 
not even a commonly accepted set of categories to describe 
levels of sensitivity for private information. 

Great quantities of private information are being 
accumulated in computer files; and the incentives to 
penetrate the safeguards to privacy are bound to increase. 
Existing laws may prove inadequte, 


or may need more vigorous 
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enforcement. There may be need for a monitoring and en¬ 
forcement establishment analogous to that in the security 
situation. In any event, it can not be taken for granted 
that there now exist adequate legal and ethical unbrellas 
for the protection of private information. 

The privacy problem is really a spectrum of problems. 

At one end, it may be necessary to provide only a very low 
level of protection to the information for only a very 
short time; at the opposite end, it may be necessary to 
invoke the most sophisticated techniques to guarantee 
protection of information for extended periods of time. 
Federal regulations state explicitly what aspect of national 
defense will be compromised by unauthorized divulgence of 
each category of classified information. There is no 
corresponding particularization of the privacy situation; 
the potential damage from revealing private information is 
nowhere described in such absolute terms. It may be that 
a small volume of information leaked from a private file 
may involve inconsequential risk. For example, the 
individual names of a company’s employees is probably not 
even sensitive, whereas the complete file of employees 
could well be restricted. Certainly the "big brother" 


spectre raised by recent Congressional hearings on "invasion 
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of privacy" via massive computer files is strongly related 
to the volume of information at risk. 

Because of the diverse spread in the privacy situation, 
the appearance of the problem may be quite different from 
its reality. One would argue on principle that maximum 
protection should be given to all information labeled 
private; but if privacy of information is not protected by 
law and authority, we can expect that the owner of sensitive 
information will require a system designed to guarantee pro¬ 
tection only against the threat as he sees it. Thus, while 
we might imagine very sophisticated attacks against private 
files, the reality of the situation may be that much simpler 
levels of protection will be accepted by the owners of the 
information. 

In the end, an engineering trade-off question must be 
assessed. The value of private information to an,outsider 
will determine the resources he is willing to expend to 
acquire it. In turn, the value of the information to its 
owner is related to what he is willing to pay to protect 
it. Perhaps this game-like situation can be played out 
to arrive at a rational basis for establishing the level 
of protection. Perhaps a company or governmental agency-- 
or a group of companies or agencies, or the operating 
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agent of a multi-access computer service--will have to 
establish its own set of regulations for handling private 
information. Further, a company or agency may have to 
establish penalties for infractions of these regulations, 
and perhaps even provide extra renumeration for those 
assuming the extraordinary responsibility of protecting 
private information. 

The security measures deemed necessary for a multi¬ 
processing remote terminal computer system operating in 

a military classified environment have been discussed 
* 

elsewhere. This paper will compare the security situa¬ 
tion with the privacy situation, and suggest issues to be 
considered when designing a computer system for guarding 
private information. Technology which can be applied 
against the design problem is described elsewhere. 

First of all, note that the privacy problem is to 
some extent present whenever and wherever sharing of the 
structures of a computer system takes place. A time-sharing 
system slices time in such a way that each user gets a 
small amount of attention on some periodic basis. More 


Peters, B., "Security Considerations in a Multi- 
Programmed System," presented at this session, 67 SJCC. 

Petersen, H. E., and R. Turn, Systems Implications 
of Privacy," presented at this session, 67 SJCC. 
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than one user program is resident in the central storage 
at one time; and hence, there are obvious opportunities 
for leakage of information from one program to another, 
although the problem is alleviated to some extent in 
systems operating in an interpretive software mode. In 
a multi-programmed computer system it is also true that 
more than one user program is normally resident in the 
core store at a time. Usually, a given program is not 
executed without interruption; it must share the central 
storage and perhaps other levels of storage with other 
programs. Even in the traditional batch-operated system 
there can be a privacy problem. Although only one program 
is usually resident in storage at a time, parts of other 
programs reside on magnetic tape or discs; in principle, 
the currently executing program might accidentally reference 
others, or cause parts of previous programs contained on 
partially re-used magnetic tape to be outputed. 

Thus, unless a computer system is completely stripped 
of other programs—and this means clearing or removing 
access to all levels of storage--privacy infractions are 
possible and might permit divulgence of information from 
one program to another. 
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Let us now reconsider the points raised in the Peters 
paper and extend the discussion to include the privacy 
situation. 

1) The problem of controlling user access to the 
resource-sharing computer system is similar in both the 
security and privacy situations. It has been suggested 
that one-time passwords are necessary to satisfactorily 
identify and authenticate the user in the security situ¬ 
ation. In some university time-sharing systems, permanently 
assigned passwords are considered acceptable for user 
identification. Even though printing of a password at 

the console can be suppressed, it is easy to ascertain 
such a password by covert means; hence, repeatedly used 
passwords may prove unwise for the privacy situation. 

2) The incentive to penetrate the system is present 
in both the security and privacy circumstances. Revelation 
of military information can degrade the country's defense 
capabilities. Likewise, divulgence of sensitive informa¬ 
tion can to some extent damage other parties or organiza¬ 
tions. Private information will always have some value 

to an outside party, and it must be expected that 

* 

Peters, B. , loc cit . 
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penetrations will be attempted against computer systems 
handling such information. It is conceivable that the legal 
liability for unauthorized leaking of sensitive information 
may become as severe as for divulging classified material. 

3) The computer hardware requirements appear to be 
the same for the privacy and security situations. Such 
features as memory read-write protection, bounds registers, 
privileged instructions, and a privileged mode of operation 
are required to protect information, be it classified or 
sensitive. Also, overall software requirements seem 
similar, although certain details may differ in the 
privacy situation because of communications matters or 
difference in user discipline. 

4) The file access and protection problem is similar 
under both circumstances. Not all users of a shared com¬ 
puter-private system will be authorized access to all 
files in the system, just as not all users of a secure 
computer system will be authorized access to all files. 
Hence, there must be some combination of hardware and 
software features which controls access to the on-line 
classified files in conformance with security levels and 
need-to-know restrictions and in conformance with 
corresponding attributes in the privacy situation. As 
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mentioned earlier, there may be a minor difference 
relative to volume. In classified files, denial of access 
must be absolute, whereas in private files access to a 
small quantity of sensitive information might be an 
acceptable risk. 

5) The philosophy of the overall system organization 
will probably have to be different in the privacy situation. 

In the classified defense environment, users are indoctri¬ 
nated in security measures and their personal responsibility 
can be considered as part of the system design. Just as 
the individual who finds a classified document in a hallway 
is expected to return it, so the man who accidentally re¬ 
ceives classified information at his console is expected 
to report it. The users in a classified system are subject 
to the regulations, authority, and discipline of a govern¬ 
mental agency. Similar restrictions may not prevail in 
a commercial or industrial resource-sharing computer network, 
nor in government agencies that do not operate within the 
framework of government classifications. In general, it would 
appear that one cannot exploit the good will of users as 
part of a privacy system’s design. On the other hand, 
the co-operation of users may be part of the design phil¬ 
osophy if it proves possible to impose a uniform code of 
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ethics, authority, and discipline within a multi-access 
system. Uniform rules of behavior might be possible if 
all users are members of the same organization, but quite 
difficult or impossible if the users are from many companies 
or agencies. 

6) The certifying authority is certainly different 
in the two situations. It is easy to demonstrate that the 
total number of internal states of a computer is so 
enormous that some of them will never prevail in the 
lifetime of the machine. It is equally easy to demonstrate 
that large conputer programs have a huge number of internal 
paths, which implies the potential existence of error 
conditions which may appear rarely or even only once. 
Monitor programs governing the internal scheduling and 
operation of multi-programmed time-sharing or batch- 
operated machines are likely to be extensive and complex; 
and if security or privacy is to be guaranteed, some 
authority must certify that the monitor is properly pro¬ 
grammed and checked out. Similarly, the hardware must 
also be certified to possess appropriate protective 
devices. 

In a security situation, a security officer is re¬ 
sponsible for establishing and implementing measures for 
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the control of classified information. Granted that he 
may have to take the word of computer experts or become 
a computer expert himself, and granted that of itself his 
presence does not solve the computer security problem, 
there is nonetheless at least an assigned, identifiable 
responsible authority. In the case of the commercial or 
industrial system, who is the authority? Must the business¬ 
man take the word of the computer manufacturer who supplied 
the software? If so, how does he assure himself that the 
manufacturer hasn't provided "ins" to the system that only 
he, the manufacturer, knows about? Must the businessman 
create his own analog of defense security practices? 

7) Privacy and security situations are certainly 
similar in that deliberate penetrations must be anticipated, 
if not expected; but industrial espionage against computers 
may be less serious. On the other hand, industrial pene¬ 
trations against computers could be very profitable and 
perhaps safer from a legal viewpoint. 

It would probably be difficult for a potential pene- 
trator to mount the magnitude of effort against an in¬ 
dustrial resource-sharing computer system that foreign 
agents are presumed to mount against secrecy systems of 
other governments. To protect against large-scale efforts, 
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an industry-established agency could keep track of major 
computing installations and know where penetration efforts 
requiring heavy computer support might originate. On 
the other hand, the resourceful and insightful individual 
can be as great a threat to the privacy of a system. If 
one can estimate the nature and extent of the pene¬ 
tration effort expected against an industrial system, 
perhaps it can be used as a design parameter to establsh 
the level of protection for sensitive information. 

8) The security and privacy situations are certainly 
similar in that each demands secure communication circuits. 
For the most part, methods for assuring the security of 
communication channels have been the exclusive domain of 
the military and government. What about the non-government 
user? Could the specifications levied on common carriers 
in their implied warranty of a private circuit be extended? 
Does the problem become one for the common carriers? Must 
they develop communication security equipment? If the 
problem is left to the users, does each do as he pleases? 
Might it be feasible to use the central computer itself 
to encode information prior to transmission? If so, the 
console will require special equipment for decoding the 


messages. 
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9) Levels of protection for communications are 
possibly different in the two situations. If one believes 
that a massive effort at penetration could not be mounted 
against a commercial private network, a relatively low- 
quality protection for communications would be sufficient. 
On the other hand, computer networks will inevitably go 
international. Then what? A foreign industry might find 
it advantageous to tap the traffic of U.S. companies 
operating an international and presumably private computer 
network. Might it be that for reasons of national interest 
we will someday find the professional cryptoanalytic 
effort of a foreign government focused on the privacy- 
protecting measures of a computer network? 

If control of international trade were to become an 
important instrument of government policy, then any inter¬ 
national communications network involved with industrial 
or commercial computer-private systems will need the best 
protection that can be provided. 

This Paper has attempted to identify and briefly 
discuss the differences and similarities between computer 
systems operating with classified military information and 
computer systems handling private or sensitive information. 



-26- 


Similar hardware and software and systems precautions 
must be taken. In most respects, the differences between 
the two situations are only of degree. However, there 
are a few aspects in which the two situations genuinely 
differ in kind, and on these points designers of a system 
must take special note. The essential differences between 
the two situations appear to be the following: 

1) Legal foundations for protecting classified 
information are well established, whereas in 
the privacy situation, a uniform authority over 
the users and penalty structure for infractions 
is lacking. We may not be able to count on the 
good will and disciplined behavior of users as 
part of the protective measures. 

2) While penetrations can be expected against both 
classified and sensitive information, the worth 
of the material at risk in the two situations can 
be quite different, not only to the owner of the 
data but also to other parties and to society. 

3) The magnitude of the resources available for 
protection and for penetration are markedly 
smaller in the privacy situation. 
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4) While secure communications are required in both 
situations, there are significant differences 

in details. In the defense environment, pro¬ 
tected communications are the responsibility of 
a government agency, appropriate equipment is 
available, and the importance of protection 
overrides economic considerations. In the 
privacy circumstance, secure satisfactory com¬ 
munication equipment is generally not available, 
and the economics of protecting communications is 
likely to be more carefully assessed. 

5) Some software details have to be handled dif¬ 
ferently in the privacy situation to accommodate 
differences in the security of communications. 

It must be remembered that since the Federal authority 
and regulations for handling classified military informa¬ 
tion do not function for private or sensitive information, 
it does not automatically follow that a computer network 
designed to safely protect classified information will 
equally well protect sensitive information. The all 
important difference is that the users of a computer- 
private network may not be subject to a common authority 
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and discipline. But even if they are, the strength of 
the authority may not be adequate to deter deliberate 
attempts at penetration. 



